Douglas Otis wrote:
> Look-alike exploits exist without designated domains.
Sure, but they sail under their own look alike flag. They can't
"steal" the reputation of an ISP with millions of zombies for
their criminal purposes. Admittedly that reputation won't be
good, but still better than "ebo
Douglas Otis wrote:
> DKIM offer no protection without annotations. DKIM
> Designation should be annotated differently than messages
> where the 2822.From address and the signing domain match.
Do we already have this in the requirements ? At some point
you could probably say that it's "obvious"
From: "Wietse Venema"
> Apologies. Let me phrase this better.
>
> None of these loopholes would exist if signatures could vouch only
> for rfc822.from domains that match the signature's d= domain (*).
> Third party signatures are part of the problem. Making them "work
> right" requires additional
On Sat, 2006-08-26 at 22:29 -0400, Wietse Venema wrote:
> None of these loopholes would exist if d= domains were required to
> match rfc822.from domains (*). Third party signatures are part of
> the problem. Making them "work right" requires additional complexity.
> Complexity leads to error, vuln
Wietse Venema:
> Hector Santos:
> > > A bad actor can register look-alike domains and added their own DKIM
> > > signature sent through any number of providers. Designation does not
> > > make this problem worse. With the entire email-address being
> > > internationalized, a problem of visual reco
On Sat, 2006-08-26 at 21:52 -0400, Hector Santos wrote:
> What Frank is saying is the ISP.COM has all power to control this and
> protect his users from direct DKIM phish attacks in a very elegant and
> graceful manner using SSP.
>
> The phisher has harvested hundreds or even thousands of users at
Hector Santos:
> > A bad actor can register look-alike domains and added their own DKIM
> > signature sent through any number of providers. Designation does not
> > make this problem worse. With the entire email-address being
> > internationalized, a problem of visual recognition must be handled
>
- Original Message -
From: "Douglas Otis" <[EMAIL PROTECTED]>
To: "Frank Ellermann" <[EMAIL PROTECTED]>
> On Sat, 2006-08-26 at 14:54 +0200, Frank Ellermann wrote:
> > Stephen Farrell wrote:
> >
> > > But yet again, each form of delegation has its issues.
> >
> > Right, but those forms w
- Original Message -
From: "Dave Crocker" <[EMAIL PROTECTED]>
To:
Sent: Saturday, August 26, 2006 1:29 PM
Subject: [ietf-dkim] Direct vs. Indirect specification of the
accountabledomain
> As a rule, all this extra work ought to be required to
> provide extremely significant benefit, ove
On Sat, 2006-08-26 at 09:18 -0700, Michael Thomas wrote:
> [EMAIL PROTECTED] wrote:
>
> SSP goes beyond that and informs the receiver about the signing
> domains practices which also allows you to potentially correlate what
> to expect from the author's domain. Maybe the overall problem here is
> t
Michael Thomas wrote:
>> Maybe it's me that's messed up. Using Dave's operator terminology, I
>> thought that meant the entity running the MTA (e.g. the ISP or domain
>> host).
Yes, I believe that matches the way I have been defining the term.
> I think you're using it the same way as Dave,
Scott Kitterman wrote:
On Fri, 25 Aug 2006 22:02:40 -0700 Jim Fenton <[EMAIL PROTECTED]> wrote:
Scott Kitterman wrote:
I can see this going either way. In the end the operator controls what
goes
out and what doesn't. Both the author domain and the operator domain
c
Stephen Farrell wrote:
But if the delegator delegated its private key, or if the signer
supplied its public key to the delegator, then the buck might get
moved between them (from their, and not the verifier, perspective),
depending on the details of how the key delegation happened.
For example,
[EMAIL PROTECTED] wrote:
DKIM has nothing to do with reputation, reputation providers may want to
use DKIM as part of their processing technologies but that is their
issue/point of failure. I want something that allows me to accurately
identify who decided to send me a piece of mail.
What I choo
On Fri, 25 Aug 2006, Jim Fenton wrote:
While we aren't defining reputation or accreditation services in this
working group, it has been widely suggested that such services would use
the d= domain on the signature as the "lookup key" for retrieving
reputation or accreditation information.
Not
On Sat, 2006-08-26 at 08:18 -0700, william(at)elan.net wrote:
> I've proposed before that in case of large number of domains SPF-like
> macro expansion be allowed in place of actual domain.
Bad idea and not needed. To scale into the tens of thousands, just
prefix the queried domain above the poli
On Sat, 2006-08-26 at 14:54 +0200, Frank Ellermann wrote:
> Stephen Farrell wrote:
>
> > But yet again, each form of delegation has its issues.
>
> Right, but those forms where the delegator can delegate
> without prior and explicit consent of the delegatee are
> beyond my no-nonsense limit. Ide
I've proposed before that in case of large number of domains SPF-like
macro expansion be allowed in place of actual domain.
On Fri, 25 Aug 2006, Jim Fenton wrote:
[This is the first of a two messages outlining my concerns about SSP
Designated Signing Domains. I'll break each category of conce
Scott Kitterman wrote:
> DKIM = Who you are
> DKIM != What you are
Hm... so far I saw nothing I'd like on a T-shirt. Here's an
anti-proposal: DKIM = add crypto to your timestamp line
Frank
___
NOTE WELL: This list operates according to
http://mip
Stephen Farrell wrote:
> But yet again, each form of delegation has its issues.
Right, but those forms where the delegator can delegate
without prior and explicit consent of the delegatee are
beyond my no-nonsense limit. Ideally "explicit" should
allow receivers to verify this.
If an ISP uses a
- Original Message -
From: "Jim Fenton" <[EMAIL PROTECTED]>
To: "Thomas A. Fine" <[EMAIL PROTECTED]>
>> If the policy says no overrides, then whatever policy you
>> find, you're> done, and you don't have to look up any more.
>> If there's no policy, you assume a default of override-dept
It was late, the size of a udp packet
Bill Oxley
Messaging Engineer
Cox Communications, Inc.
Alpharetta GA
404-847-6397
[EMAIL PROTECTED]
-Original Message-
From: Jim Fenton [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 26, 2006 12:56 AM
To: Oxley, Bill (CCI-Atlanta)
Cc: [EMAIL
On Fri, 2006-08-25 at 22:10 -0700, Jim Fenton wrote:
> Douglas Otis wrote:
>
> > It MUST always be the provider offering outbound services, not the
> > provider receiving messages held accountable. The designators are
> > the receivers of email. Not the senders and signers. Reputation
> > is ab
- Original Message -
From: "Stephen Farrell" <[EMAIL PROTECTED]>
To: "Jim Fenton" <[EMAIL PROTECTED]>
> Yep. 120 names sounds horrible. But then so would be 120 delegatees
> of whatever flavour probably.
>
> But I at least have no clue as to how many domains would have so
> many delegate
Jim Fenton wrote:
>The next revision of that draft, although not finalized, will probably
>do things differently. It will check both for the existence of the SSP
>record and for the existence of the domain. If the domain exists but
>the SSP record doesn't, then it will search up only one level.
25 matches
Mail list logo
